[OpenAFS] question about authentication with kerberos and Default
principal
Douglas E Engert
deengert@gmail.com
Sat, 3 Mar 2018 09:42:50 -0600
Looks like the hostname is "localhost" on the ppc64.
Did you miss a step?
On 3/3/2018 9:15 AM, Gary Gatling wrote:
> Recently I decided to play around with some alternative architectures on fedora with virt-manager/qemu. So I set up some power machines. (ppc64 and ppc64le)
> I also made some arm machines but I gather openafs isn't quite ready yet for arm in 1.6.22.2.
>
> I was able to compile openafs rpms for ppc64. I did not try ppc64le yet. Its very slow to build in a emulator. Surprisingly openafs builds and I am able to start the service and list afs directories.
> But I can't authenticate to kerberos like I can on x86_64. I feel like I'm missing something basic but I'm unsure what it is.
>
> When I run kinit on x86_64, I get
>
> [gsgatlin@t540p ~]$ kinit gsgatlin
> Password for gsgatlin@EOS.NCSU.EDU <mailto:gsgatlin@EOS.NCSU.EDU>:
> [gsgatlin@t540p ~]$ klist
> Ticket cache: KCM:1000
> Default principal: gsgatlin@EOS.NCSU.EDU <mailto:gsgatlin@EOS.NCSU.EDU>
>
> Valid starting Expires Service principal
> 03/03/2018 09:55:22 03/04/2018 07:10:22 krbtgt/EOS.NCSU.EDU@EOS.NCSU.EDU <mailto:EOS.NCSU.EDU@EOS.NCSU.EDU>
> renew until 03/10/2018 09:55:17
>
>
> but on ppc64 emulator, I get
>
> [gsgatlin@localhost bin]$ kinit gsgatlin
> Password for gsgatlin@EOS.NCSU.EDU <mailto:gsgatlin@EOS.NCSU.EDU>:
> [gsgatlin@localhost bin]$ klist
> Ticket cache: KCM:1000:53854
> Default principal: @EOS.NCSU.EDU <http://EOS.NCSU.EDU>
>
> Valid starting Expires Service principal
> 03/03/2018 09:56:23 03/04/2018 07:11:23 krbtgt/EOS.NCSU.EDU@EOS.NCSU.EDU <mailto:EOS.NCSU.EDU@EOS.NCSU.EDU>
> for client gsgatlin@EOS.NCSU.EDU <mailto:gsgatlin@EOS.NCSU.EDU>, renew until 03/10/2018 09:56:17
>
> Notice the default principal says @EOS.NCSU.EDU <http://EOS.NCSU.EDU> instead of gsgatlin@EOS.NCSU.EDU <mailto:gsgatlin@EOS.NCSU.EDU> like it did on x86_64.
>
> So when I run aklog on ppc64 it fails
>
> [gsgatlin@localhost bin]$ aklog -d -c eos.ncsu.edu <http://eos.ncsu.edu> -k EOS.NCSU.EDU <http://EOS.NCSU.EDU>
> Authenticating to cell eos.ncsu.edu <http://eos.ncsu.edu> (server eos01db.unity.ncsu.edu <http://eos01db.unity.ncsu.edu>).
> We were told to authenticate to realm EOS.NCSU.EDU <http://EOS.NCSU.EDU>.
> Getting tickets: afs/eos.ncsu.edu@EOS.NCSU.EDU <mailto:eos.ncsu.edu@EOS.NCSU.EDU>
> Kerberos error code returned by get_cred : -1765328243
> aklog: Couldn't get eos.ncsu.edu <http://eos.ncsu.edu> AFS tickets:
> aklog: unknown RPC error (-1765328243) while getting AFS tickets
>
>
> but on x86_64 (either on virt-manager or a real pc) I get
>
> [gsgatlin@t540p ~]$ aklog -d -c eos.ncsu.edu <http://eos.ncsu.edu> -k EOS.NCSU.EDU <http://EOS.NCSU.EDU>
> Authenticating to cell eos.ncsu.edu <http://eos.ncsu.edu> (server eos01db.unity.ncsu.edu <http://eos01db.unity.ncsu.edu>).
> We were told to authenticate to realm EOS.NCSU.EDU <http://EOS.NCSU.EDU>.
> Getting tickets: afs/eos.ncsu.edu@EOS.NCSU.EDU <mailto:eos.ncsu.edu@EOS.NCSU.EDU>
> Using Kerberos V5 ticket natively
> About to resolve name gsgatlin to id in cell eos.ncsu.edu <http://eos.ncsu.edu>.
> Id 19149
> Set username to AFS ID 19149
> Setting tokens. AFS ID 19149 @ eos.ncsu.edu <http://eos.ncsu.edu>
>
> Here is a link to my /etc/krb5.conf file on both systems:
>
> https://pastebin.com/3HHP15c0
>
> Does anyone know why it would work on one architecture (x86_64) but fail on another (ppc64) ? Is my /etc/krb5.conf missing something? kinit is provided by red hat so I think I can't have messed up
> that particular binary.
>
> [gsgatlin@localhost bin]$ which kinit
> /usr/bin/kinit
> [gsgatlin@localhost bin]$ rpm -qf /usr/bin/kinit
> krb5-workstation-1.15.2-7.fc27.ppc64
>
> Thanks a lot for any ideas anyone may have. I feel like I was close to getting everything working.
>
>
--
Douglas E. Engert <DEEngert@gmail.com>